Reference Guide

CSP Header Examples by Platform

Copy and adapt Content Security Policy deployment syntax for HTTP responses, nginx, Apache, Netlify, Vercel, Cloudflare Pages, Next.js, Remix, Express, and Fastify.

Generate Header
Deploy

What is a CSP header?

Use these examples to place a generated CSP in the right deployment format. For policy strategy by site type, use CSP examples. For staged rollout, use report-only CSP.

Caveat

Meta tags are limited

HTTP response headers are preferred for a production Content Security Policy header. A meta CSP can help in narrow cases, but it cannot support every directive and should not be treated as a full replacement for server headers.

Workflow

How do I create a CSP header?

Generate a policy from scan evidence, choose the deployment format for your host or framework, test with report-only CSP, then ship the enforced Content-Security-Policy header when the policy is stable.

HTTP

Plain HTTP CSP header

Meta

Meta tag caveat

nginx

nginx CSP header

Apache

Apache CSP header

Netlify

Netlify CSP _headers

Vercel

Vercel CSP header config

Cloudflare Pages

Cloudflare Pages CSP _headers

Express or Fastify

Express and Fastify CSP middleware

Next.js or Remix

Next.js and Remix CSP headers

Render

Render Go or Gin middleware

CloudFront or S3

CloudFront Function CSP header

WordPress

WordPress or Apache .htaccess

Rails

Rails CSP initializer

Django

Django CSP middleware

Laravel

Laravel CSP middleware

Spring Security

Spring Security CSP header

Helmet.js

Express CSP with Helmet.js

Cloudflare Workers

Cloudflare Worker CSP header

Warning

Common CSP header formatting errors

  • Splitting one CSP header across multiple conflicting headers.
  • Forgetting semicolons between directives.
  • Using curly quotes around 'self' or 'none'.
  • Deploying only a meta tag when the server can set an HTTP response header.
  • Copying a generated header without testing it in report-only mode first.
Directive Glossary

Compact CSP directive glossary

These are the directives most often involved when you create a CSP, validate a generated policy, or read browser violation reports.

default-src Fallback policy for resource types that do not have a more specific directive.
script-src Controls JavaScript sources, inline script hashes, nonces, and risky values like 'unsafe-eval'.
style-src Controls stylesheets and inline style allowances, including hashes or nonces when used.
img-src Controls image sources, including common allowances such as same-origin CDNs or carefully reviewed data: images.
connect-src Controls fetch, XHR, WebSocket, EventSource, and API endpoints.
font-src Controls web font sources such as local assets, Google Fonts, or a private asset CDN.
frame-src Controls iframes and embedded content loaded by your page.
frame-ancestors Controls which parent pages may embed your page and helps prevent clickjacking.
object-src Controls legacy plugin content. Most modern policies set this to 'none'.
base-uri Restricts which URLs can be used in a document <base> element.
form-action Controls where forms can submit data.
report-to Names a Reporting API endpoint for CSP violation reports.

CSP Header Examples FAQ

Should I deploy CSP as an HTTP header or a meta tag?

Use an HTTP response header whenever possible. Meta CSP has limitations and is best treated as a fallback for narrow cases.

Can I deploy more than one CSP header?

You can, but multiple policies can combine in surprising ways. Most teams should deploy one reviewed policy per response.

Where should I put report-only CSP?

Deploy report-only CSP with the Content-Security-Policy-Report-Only header, not the enforced Content-Security-Policy header.

Next Step

Generate a CSP header from real scan evidence

Use the CSP scanner and header generator to produce a deployment-formatted candidate, then review and adapt the matching platform syntax from this reference.

Run CSP Scanner